Executive Risk
Monday September 21, 2015 Northern Ohio Association for Financial Professionals 2015 Idea Exchange Seminar
Data Security/Privacy (Cyber) 101
Nicholas J Milanich , Vice President
Hylant Executive Risk
Phone # (216) 674-2413
hylantexecutiverisk.com
AGENDA• The Risk
• Cyber Attacks
• Recent Data Breach Examples
• Loss Statistics
• Legislative Environment
• Emerging Risks
• The Insurance
• 3rd Party Coverage
• 1st Party Coverage
• Coverage examples
CYBER ATTACKS
• Microsoft X-Box, Sony Playstation (denial of service)
• US State Department (cyber vandalism)
• US Weather Station (satellite system)
• Sony Pictures (corporate information)
• VeriSign (internet security company)
• TD Waterhouse (unauthorized access)
• YouTube (website content)
• Care First of Maryland (website content)
• Authorize.net (denial of service attack)
• Six Apart, Ltd. (denial of service attack)
• Paine Weber (malicious code)
RECENT DATA BREACH EXAMPLES
• Federal Government – Office of Personnel Management• Up to 20 million individuals PII – names, addresses, DOB’s, SS#’s• Key-point credentials compromised via zero-day malware (pre-patch)
• Anthem• 80 million current and former members information• Unencrypted data; employee password compromised; State sponsored action• Mostly PII: names, addresses, social security #’s, medical ID #’s, birth dates,
salaries, email addresses• Self-insured plans may have notice requirements
• Home Depot• 56 million credit card numbers• Targeted attack at payment terminals• Announced estimated costs so far of $62 million• $27 million insurance recovery• 44 lawsuits consolidated to two: consumer and financial institution
• Target• 110 million credit/debit card numbers• Malware at POS• $236 million direct data breach costs. Half for software upgrades• $90 million insurance recovery
HISTORICAL LARGE DATA BREACH EXAMPLES
• Heartland Payment Systems• 6th largest credit-card payment processor in the country• 100 million card transactions each month, 250,000 businesses• May-November 2008, spyware installed• Unencrypted credit card data – 250 million records• Magnetic strip & names• More than 220 banks effected
• Hannaford Brothers• Grocery chain• 4.2million credit/debit card numbers• 1800 cases of identity theft• 26 lawsuits
• TJ Max• 94 million individuals• Criminals had access for 17 months• 3 year credit monitoring/ victim assistance• Follow-on D&O, other litigation• Total estimated cost over $1.3 billion
CYBER EXTORTION
• Avid Life Media - Ashley Madison (8/15)• Credit card info, names, addresses, email addresses- demanded that the site be taken
down and an undisclosed amount of money
• Nokia (7/14)• Source code for operating system – “several million euros”
• Dominos (6/14)• Customer data in Europe - $40,000 demand
• Express Scripts (2/12)• PHI – unknown demand
LOSS STATISTICS - FREQUENCY
Summary from Risk Based Security, Inc. – 2014
Number of Breaches• 3,014 in 2014 – up 33%• 2,261 in 2013
Number of Records exposed• 1.1 billion in 2014 – up 34%• 823 million in 2013
How Records were exposed• Outside (hackers) – 76%• Inside, accidental – 9.5%• Inside, malicious – 6% • Inside, unknown – 4.5%• Unknown – 4%
LOSS STATISTICS – FREQUENCY
Summary from Risk Based Security, Inc. – 2014
53%
16%
9%
10%
12%
Breaches by Industry
Business Governmental Education Medical Other
Passw
ords
Usern
ames
E-Mai
l
Name
Addre
ssSSN
DOBM
isc.
Phone
Med
ical In
fo.
Accou
nt #
CC #
Other
Fin
ancia
ls0%
10%
20%
30%
40%
50%
60%
70%
80%
53 51 49
32
15 14 12 139 10
6 8 8
Type of Information Exposed in Breach
LOSS STATISTICS
Summary of Ponemon Institute’s 2014 Annual Cost of a Data Breach Report:
– Average cost and per record cost increased modestly to $5.8 million and $201, respectively.
– Direct costs are estimated at $66 per record. (notification letters, credit monitoring, forensic IT, etc.)
Cost by industry class Per record
Average $201
Education $294
Retail $105
Healthcare $359
Financial Institutions $206
LOSS STATISTICSSummary of NetDiligence 2014 Cyber Claims Study:
– Insurance company database of actual claims between 2011 – 2013
– Average total cost was $733,109
– Only 12% of the claims resulted in follow-on litigation, only 5% in regulatory action and only 3% PCI fines/penalties
Cost Type Average Cost
Forensics $119,278
Notification $175,147
Legal Guidance $117,613
Public Relations $4,513
Legal Defense $698,797
Legal Settlement $558,520
Regulatory Defense $1,041,906
Regulatory Settlement $937,500
PCI fines/penalties $2,328,667
LOSS STATISTICSPossible Additional Costs Associated with Data Breach
– Defense costs and settlements associated with follow-on litigation
– Regulatory enforcement body (HHS, OCR, FTC, FCC, States Attorney General)
– Private plaintiffs (common law privacy, breach of contract, emotional distress allegations)
– HIPAA fines/penalties ($5k-$50k per offense, up to $1.5m cap)
– FACTA fines/penalties ($1k-$2.5k per employee + puni’s, fees)
– PCI compliance fines/penalties
LEGISLATIVE ENVIRONMENT
• Federal Statutes• Gramm Leach Bliley, HIPAA, GINA, FACTA• Consumer Fraud & Abuse Act, Stored Communications Act, Electronic Communication
Privacy Act• Obama Personal Data Notification and Protection Act (pending)
• 30 days, likely to pre-empt State Notification laws (below)
• State Notification Laws (46 + D.C., Puerto Rico, V.I.)• Mass. – requires written security policy, min. standards)• CA. – Zip codes• Ohio: Section 1349.19
• Computer related only• Encryption safe-harbor• Notification ASAP, within 45 days• $1,000/day penalties which escalate after 60/90 days
• Common law allegations• Invasion of privacy• Negligence• Breach of implied contract• Right of publicity
ORC 2744 Ohio State Immunity
• Very little information regarding immunity and data breaches
• Expect to incur data breach expenses: notification, credit monitoring, forensic IT, etc.
• Contractual obligations: PCI/DSS
• Federal Statues: HIPAA, HITECH, FACTA
EMERGING ISSUES
• NIST to become de facto standard?
• Supply chain data risk
• Chip & Pin (EMV) – retail merchants
• “Internet of Things” – open source, manufacturing
• Article III standing
• “Do not track” cases
• Persistent identifiers (User ID’s, device identifiers, IP addresses)
• Terms of service
• Legal developments in Cloud computing and BYOD
BASIC BEST PRACTICES
• Inventory your data:• What kind? How much? Where is it? Who has access? How is it protected?
• Evaluate contracts with outside service providers – especially 3 rd party IT, payment processors, data storage or data processing vendors
• Consider requiring certificates of insurance for both professional E&O and Data Security/Privacy (Cyber) coverage
• Continuous 3rd party security and vulnerability assessments of your organization
• Establish an incident response plan and team with experienced outside vendors
• Test your incident response plan
• Insurance is a “safety net”, but not a substitute for internal and external safeguards
18
Network/Privacy Insurance
Coverage Triggers
• Virus transmission
• Failure to provide access
• Unauthorized access or use of data
• Failure to Notify
• Website/Social Media Liability
Covered Data
• Insured’s systems
• Data in transit
• Non-electronic data
• Data residing on others’ systems
• Employees’ data
• Corporate data
19
Network/Privacy Insurance – First Party Costs
Notification & Crisis Management Expenses
• Breach Coach
• Legal costs to determine applicability of breach laws
• Computer forensics
• Notification documents (preparing and sending)
• Call center for incoming and outgoing communications
• Payment card charge backs
• Other fees to comply with requirements of breach laws
• Public relations expenses to respond to negative publicity and restore brand reputation
• ID Fraud Policies / Credit Monitoring to affected individuals
20
Network/Privacy Insurance – First Party Costs
• Crime
– Computer fraud
– Funds transfer fraud
• Cyber extortion
– Threat of release of information, damage of data or systems, introduction of virus, or restriction of access to system resources
• Fines/Penalties
– PCI contract penalties
– Regulatory fines/penalties
• Telecommunications theft
– Outgoing long distance phone calls
• Network business income/extra expense
– Business interruption due to network event – typically some form of denial of service
– Dependent Business Interruption (very limited market)
21
Limitations to watch for
• Specific exclusions to watch for
– “Reckless Disregard”
– Unencrypted laptops / mobile devices
– Violating own policies & procedures
– Keeping IT security up to date
– Exclusions for known viruses / malicious software
– Coverage limited to electronic data only
22
• Employee Mistake• Unauthorized Access• Lost Laptop
Coverage Examples
23
These examples are generic.
• CGL, E&O, and Cyber Insurance forms differ greatly between companies.
• Examples are exploring general coverage “intent” to illustrate the differences that may exist between the various coverages.
• Individual claim circumstances and complaint wording can trigger or limit coverage in a variety of ways.
Disclaimer:
24
Scenario 1 – Employee Mistake
What Happened:
Your employee accidentally or deliberately publishes private customer information on your company’s website or via e-mail. Your customer sues.
Coverage: Look for coverage under the personal injury section of the CGL.
Publication of material that violates a right or privacy – check to see if your CGL excludes or limits this grant when the publication occurs in an electronic format.
Look to a dedicated Cyber Liability policy.
25
Scenario 2 – Customer / Employee Info
What Happened:
A hacker gains unauthorized access to your network and steals personally identifiable information of employees and customers
Coverage:
• Look for coverage in a Cyber Insurance policy.
26
Scenario 3 – Lost Laptop
What Happened:
An employee’s laptop computer containing customer information is lost or stolen during travel.
Coverage:
• Cost to replace the physical property that was stolen may be covered under a property policy, however additional costs associated with an information breach typically will not.
• May find coverage under a Cyber Liability policy
• Check policy wording for limitations regarding whether the laptop needs to be part of the “communications network.”
• Check policy wording for limitations regarding encryption of data.
Thank you!
